My three favorites are:
Cross-forest certificate autoenrollment
Makes it possible to share a CA server between multiple forests, will work for XP/2003 clients and later OS's.
HTTP certificate enrollment
This is effectively a reverse-proxy enrollment feature via HTTP, can also be configured to only allow renewals via HTTP while maintaining the old enrollment behaviour internally.
This is however a Windows 7-client only feature.
AD Recycle Bin
Gone are the days of panic authoritative restores because someone just deleted your main OU, with W2k8 R2 comes the ability to undo that change before the objects are permanently deleted.
Changes to existing components:
V3 certificate templates for Standard Edition
You won't need the Enterprise Edition to be able to edit your certificate templates anymore, you will however need it for Cross-forest enrollment still.
...more to come.
Active Directory Certificate Services Overview [lists the differences between the SKU's for ADCS]